Security Education - Security Center

Get Connected

Learn more about creating your own Security Program.

Next Steps

This section explains how the Cisco Security Education Program was designed and executed, and provides examples and templates you can use.
» Go Now

Even though a company's workforce may be well-informed about hardware and software security, they may still be vulnerable when it comes to the front lines of cybercrime. Like many companies, Cisco is engaged in a running technical battle to protect its service offerings from fraudulent use. We are also actively engaged in the human side of this issue: the areas of social engineering and social networking.

Cisco has embedded security into corporate initiatives and into our code of business conduct; as a result, employees are assimilating security in their daily activities. With educated employees and raised awareness throughout the organization, everyone works together toward the common goal of keeping us and our partners and customers secure.

The Cisco Security Education Program helps to:

  • Make security pervasive, extensive, and unobtrusive across the company
  • Change behavior through active, positive reinforcement, rewards and incentives, and cross-collaboration
  • Protect intellectual assets and computing resources

The Security Education Program is essentially an internal marketing campaign to raise awareness about security risks and promote corresponding good practices across the organization. This program is supported by Cisco executive leadership as well as regular employees. It has mandatory and opt-in elements, and is positive and motivational.

The Cisco Security Education Program team consists mostly of volunteer employees worldwide who have a passion for security. The team creates the global security strategy, with global messaging and branding. It plans the program's worldwide goals, and then introduces awareness campaigns on a local, regional basis, allocating resources as needed. All local initiatives follow the global branding to help ensure a consistent, coherent look and feel for all security deliverables.

For the past five years, Cisco's Security Education Program has focused on those aspects of security that relate to human behavior, with awareness campaigns on tailgating, theft, being aware of your circumstances when you're working while on the road, and document security. In the last year, we've added campaigns on social engineering and social networking to raise awareness in areas where our natural human instincts to befriend each other and gather in like-minded groups are, paradoxically, what put us most at risk.

Create Your Own Security Program

Click on the items below to read a step-by-step guide to creating and executing a security education plan in your organization, with examples from Cisco's own experience.

We hope this material will help you set up an awareness program at your company. We welcome your feedback. We would like to learn from you, too, so let us know what you would like more of.

Security is about risk tolerance, an individual's actions and responsibilities, and applied technology. At Cisco, we are all accountable for our actions and rewarded for leadership behaviors that help keep our customers, partners, suppliers, and ourselves as secure as possible. Awareness and education are vital for our success.
- John N. Stewart,
Cisco Vice President and Chief Security Officer

Once you have established the need for a Security Education Program, you will need to assign resources, assemble a team, and decide on branding.

Dedicate someone to lead your program and focus 100 percent of their energy on security education across the organization. Be sure to appoint an individual who has exemplary communications skills, and knows how to sell, market, and build relationships. The Cisco Security Education Program is led by a communications expert, rather than by an engineer or technical expert, because the main focus of the program is the creation of a pervasive mindset about security.

Be sure to get support from upper management. When the Chief Executive Officer says security is important and practices what he or she preaches, employees take notice.

With minimal resources to carry out the program, it is important to build strong relationships, engage influencers, and nurture those connections. The Cisco Security Education Program team consists mostly of volunteer employees worldwide who have a passion for security. The global team creates the global security strategy, with global messaging and branding. It plans the program's worldwide goals, and then introduces awareness campaigns on a local, regional basis, allocating resources as needed. All local initiatives follow the global branding, to help ensure a consistent, coherent look and feel for all security deliverables.

Once you have established your team, you can begin building out your Security Education Program.

Some security risks result from technology failures, but most result from human behavior. People take unsafe measures to save time and effort, and may lack awareness about the security risk involved.

The best way to find out what security risks threaten your organization is to ask your employees. They are the eyes and ears of the workplace. Also, ask your information security department about risks they may have identified. For example, employees who download illegal movies, music, and software without permission are not going to talk about it. But the security team may be monitoring the network, and may see this behavior as a big risk.

Cisco has categorized its employees according to their role, business unit, and region. Each group has specific security needs. For example, engineers, being technical, might decide to disable a security setting because it slows them down, or they might install their own firewall. Sales representatives have a different set of risks. Since they travel often, they might use a laptop on an unsecured wireless network, or read confidential documents during a plane flight without using a privacy filter.

Employees in different regions also have particular needs. Being culturally relevant and appropriate was vitally important to the Cisco program.

It is important to not only ask what risks different groups see themselves and their peers taking, but how they could combat these risks. By customizing your message to target organizational and regional cultures in the right way, you are more likely to make a difference.

Cisco used interviews and focus groups, and asked each group of employees the following questions:

  • What do you see as a risk?
  • Why do you consider it a risk?
  • How do you think we should combat this risk?
  • How should we communicate with you?

We gained a tremendous amount of insight through those sessions.

  1. Engineers: Cisco interviewed engineers in depth, across different disciplines, grade levels, and countries. They identify tailgating (following someone into a building or protected area) as a high-security risk. In terms of their preferred method of communication of training materials, 80 percent said they preferred using short, web-delivered videos.
  2. Sales representatives: When interviewed at our annual global sales meeting, Cisco sales representatives helped identify awareness of surroundings as a risk. Confidential information is frequently discussed over lunch at the local restaurant. In terms of communication, sales representatives need a compelling story to feel motivated to take action, and want to know the worst-case scenario. They also need to know what they gain if they make the extra effort to avoid a risk.

Based on your research, as well as on industry research and trends reported in the media, you may find several areas of risky behavior that need to be addressed. However, it is best to focus on the top three or four that can be addressed by an awareness program, rather than try to address everything at once. If you try to do too much, you risk overloading employees with information, and you will lose their awareness. By focusing on a few risks at a time, you can help ensure clear, consistent communication that employees can understand and act on, and you can more easily measure its effect.

Once you have identified the risky behaviors you want to target, define clear messaging to address, and fight each risk. Here are some examples Cisco has targeted:

This is the practice of following someone who has a valid company ID through an open door, and is also known as piggybacking. Tailgating is easy to do, and is often practiced by people with valid ID badges.

Tailgating is one of the biggest threats to a highly-secure environment, particularly in larger offices, facilities, or public buildings with large numbers of people, where it becomes virtually impossible for employees to be expected to recognize each other. Tailgating circumvents the physical access controls necessary to prevent property and information theft. Laptops are the most common stolen item. Cisco has documented incidents where planned tailgaters entered through the security doors and stole Cisco assets. The planned tailgaters exploit the no-tech link: people.

To address this security problem, Cisco determined that it was necessary to educate employees about the dangers of tailgating, and how to politely challenge people to show their badge. If someone refuses, for any reason, an employee is encouraged not to let the person in, but instead to ask them to report to security for a replacement badge.

Document Security
A clear Data Classification Policy helps employees determine the relative sensitivity of documentation (including presentations, web content, and emails), and how it should be protected and disclosed internally or to other parties. Concise labeling guidelines help keep intellectual property and sensitive data highly secure.

Cisco uses several levels of classification to evaluate the sensitivity of data and define specific data protection requirements. The company specifies requirements for the protection of data at rest, in motion, and in use. Whether in the form of a document, an email, or even a verbal communication, valuable intellectual property must be protected. Cisco security policies require that classified information be stored safely in a file or disposed of in a Confidential Bin, and not left in the open. For example, when a confidential document is printed, it should be retrieved from the printer as soon as possible. Confidential Bins are located in each mailroom for proper disposal of documents.

Awareness of Surroundings
We open ourselves up to information security breaches when we least expect it. For example, imagine you are talking about your newly assigned project while waiting in line at the local coffee shop. Although the conversation is intended for you and your co-worker, are you certain that the person behind you is not listening?

Being aware of your surroundings is a habit Cisco seeks to foster in its employees, in order to encourage them to be vigilant about not divulging confidential work-related information in public forums. Cisco has also started a privacy filter campaign to encourage employees to request and install a privacy filter on their laptops, which prevents people from reading the content.

Social Engineering
Social engineering is a growing threat, and administrative assistants are the main targets of social engineering attacks. Attackers seek to manipulate people into performing actions or divulging confidential information. They call into companies, posing as someone else, and ask for contact information or details. Often, the callers identify themselves as company employees, and are able to provide directory information. This leads the recipients of the phone calls to believe that the callers are employees who are conducting company business. Social engineering exploits our natural, human urge to be of help.

One particular incident involved a caller who claimed to be a company employee and to have an urgent contract that needed to be signed by a Senior Vice President. The caller used several tactics to gain information:

  • Claimed that her system was down
  • Said that she had an urgent deadline that required a signature by the close of business day
  • Requested the cell phone number of a Senior Vice President
  • Used multiple calls to gather information, including the phone number of the Vice President's administrative assistant.

The caller was unsuccessful as the employee followed guidance and the caller was unable to manipulate the employee into an action which would have put the company at risk. Another suspicious call came from a person who said she was from an organization researching the "top IT managers in the industry," and then asked for another IT manager's contact information.

To help keep your company safe from social engineering, Cisco publicizes these security tips for anyone receiving phone calls:

  • Do not discuss or provide any company information until you confirm the caller's identity as an employee by using the corporate directory.
  • Ask the caller to provide a phone number that you can use to return his or her call. The caller should provide a company number (any number listed in the corporate directory). You can offer to send information to a highly-secure company voicemail or email account, or you can transfer the caller directly to the person requested without providing their contact details.
  • Never provide employee, project, or company details to strangers or external email accounts.
  • Take notes of a suspect caller, such as a particular accent, caller ID, date, time, and duration of call. File a report with security.

Based on your target risks, you can now plan an awareness campaign to address each target area. For each campaign, you will need a variety of deliverables.

Different employee types need different types of material. For example, employees may not all use email the same way. Also, employees who spend the majority of their time on the road likely will not see a poster hanging in the mailroom, and may not have the bandwidth to access lengthy videos. Employees in different regions also differ as to which material has the greatest impact. An appropriate means of communication in one culture may not work in another. So you need to think globally and act locally.

You can download a template that will guide you through planning an awareness campaign. (PDF 43.3 KB)

Think Globally, Act Locally
In the past, Cisco established overall campaigns, adjusted by region in terms of delivery, or had campaigns that were designed from the outset for specific regions. For example, the Cisco social engineering awareness campaign was targeted principally to a specific geographic region where the majority of social engineering attacks were occurring. Cisco was aware of the threat globally, but started with the campaign in the one region, and introduced it globally in a second phase.

Cisco discovered, over time, that different regions respond well to different deliverables. For example, in India, employees said that they like posters they can display in their office. In the United States, posters are often considered dated, and digital signage is the latest medium. In the Asia Pacific region and in Russia, employees said they like to receive certificates for trainings they have completed, whereas in the United States, people rarely print and display a training certificate. Russian employees also explained that they prefer specific, detailed instructions on what is permitted and not.

To help Cisco employees think globally, and act locally, a global team of local leads was established who could either customize or design deliverables for their region, according to their needs.

It is important to have a security brand that distinguishes your security messaging. It creates a consistent look and feel worldwide, so that when people see one of your messages, they know that it is important, clear, and useful.

Distinctive branding makes your communications look professional, emphasizes that your campaign is backed by your organization's executives, and allows you to adjust your campaigns regionally but maintain the overall message, which is about the vital importance of securing your company. If you are going to adjust your campaigns regionally, then you need to be vigilant and make sure that all deliverables have a consistent look and feel, and use consistent messaging and branding across regions. It helps to create templates that are available in a single repository, along with clear branding and messaging guidelines.

Cisco planned the following deliverables:

  • An Intranet site that served as a single, central repository of security information, with links to report an incident, view breaking news, and access training materials and relevant background information
  • Short instructional and motivational flash videos
  • Award-winning general security education videos (If you would like to view these, please contact us, either by WebEx or in person. For copyright reasons, a Cisco employee must be present when these videos are viewed.
  • Annual employee awareness trainings
  • Executive communications on security, through video on demand
  • Regional awareness events with speakers
  • Global virtual security event with online live streaming video and audio
  • Internal announcements and articles on the corporate intranet
  • New hire orientations

Your security education campaign needs to be ongoing to keep your employees thinking about security. It also needs to address the primary segments of your organization, and all the different regions you are in.

Managers need to push the security messages to their teams. If executives are behind the security education campaign, it becomes more effective. But while you are getting executive support, continue with an overall employee campaign.

Your security education program needs to reflect your company's culture. For example, Cisco has a culture in which employees are encouraged to take ownership on a voluntary basis and promote security throughout their organizations. Some of the Cisco programs are mandatory and some are not. Since we wanted to encourage all employees at every level to know that they are responsible for security, most of our security education program was built on an opt-in basis. We designed the program to be motivational and inspiring, to make taking responsibility for security intrinsically rewarding.

At Cisco, we proactively planned 3-4 major awareness campaigns per year, and we designated resources for reactive, or even emergency, communications as issues came up. We use a phased approach, introducing our campaigns by region, with a global team of Cisco volunteers managing local introduction of specific regional deliverables.

Here are some useful things to remember when you are planning how to get your message out:

  • Identify the right communications vehicles. Look for opportunities to tell the security story. Include your message at special events, such as management summits and global sales meetings, and use newsletters that are already in circulation. Do not be afraid to reuse initiatives that have worked in the past.
  • Consider joint statements. If another compliance team is already planning to send a newsletter or article, join your message with theirs if it makes sense and reaches your audience. Often, it is hard to get your message heard above the emails, meetings, and phone calls of an organization.
  • Use credible sources: When communicating to large audiences, feature people who are recognized and trusted and use respected communications vehicles.
  • Keep your messages short and simple: Short, clear messages are easier to retain. Keep in mind that message retention comes from a continuous, sustaining program, so repetition is important.
  • Use rewards and recognition: Develop a system that rewards individuals who have made extra effort to affect change. Include monetary incentives and companywide recognition.
  • Make training available at every level and encourage participation. Track compliance and foster competition between organizations (with management support) or within organizations to improve completion rates. When everyone is on board, the results can be impressive.

A sense of community is critical for receiving employee support and establishing a new culture of security. Building a sense of community in today's distributed workforces can be difficult. Some useful methods are:

  • Creating a security advocates program
  • Running global virtual events
  • Using social media

Cisco Security LEAD Program
Cisco recruited a special team of volunteer security advocates (employees and Cisco-badged contractors) to create a culture of awareness and help communicate security risks. These individuals volunteer to publicize security education and directly influence behavior change by Leading, Educating, Advocating, and Demonstrating (LEAD).

LEAD personnel provide a security education point of contact for those around them, and communicate the importance of keeping Cisco highly secure. Some of the ways they can help are:

  • Identifying and communicating security questions, issues, and concerns
  • Participating in a quarterly review and brainstorming meeting
  • Implementing programs and campaigns
  • Submitting feedback and suggestions

When an employee becomes a LEAD, their manager receives a notification. The LEAD then receives a welcome package with a few thank-you gifts, which also lets everyone know they are part of the Security LEAD team. The LEAD kit includes:

  • An official LEAD fleece jacket
  • An aluminum LEAD water bottle
  • A cubicle flag, indentifying the LEAD as a security resource
  • Electronic badge to add to his or her Cisco Directory listing

Global Security Education Event
At Cisco, we created a global event to increase awareness of security programs, services, and best practices. Since our workforce is global and distributed, with many employees working remotely, we ran this as a virtual event, as well as a live, in-person event. To create the global event, the security education team collaborated with different security business units, to help ensure that the information would be relevant to all verticals and positions within the company. For example:

  • Human Resources provided information on data privacy, along with training for managers and HR representatives.
  • A webinar specific for engineers, about designing products that resist unwanted network access or malicious hacker attacks, was offered, along with a video on demand (VOD) for later viewing.
  • A streamed video allowed employees to listen live while the Chief Security Officer answered questions from the San Jose campus. This was also available as a VOD afterwards. We asked security experts to prepare questions in order to seed the discussion.

The event took place during lunchtime in Cisco cafeterias throughout the world. A representative from a security organization answered questions and directed employees to the virtual event for continuous participation. Topics included:

  • Tailgating
  • Public awareness
  • Data classification markings
  • Social networking
  • Laptop security
  • Privacy team
  • Training
  • Reporting incidents
  • Survey

Giveaways were offered as an incentive for people to attend the event, including:

  • Travel mouse
  • Drawing for FLIP camera, one per theater
  • Fortune cookies with a Security website link and security messages

Using Social Media to Create Community
It can be difficult to foster a sense of community in a distributed global workforce. Social media can help with this. At Cisco, we use discussion forums, blogs, and wikis. However, if you are going to use these, you need to be aware of certain important issues:

  • You need to provide a discussion forum or a wiki with content, often for several months. People need something to respond to. Once there is an increase in activity, the community will begin to generate its own content, but you need to help it along.
  • It is important to monitor the content. Sometimes, individual pieces of information that are not confidential can build a picture that reveals too much when the pieces are aggregated. Sometimes, a person will post an item without realizing the implications.

At Cisco, we post all our campaigns, with source files, toolkits, and background information, in a central repository for people to reuse. However, we often find that people will not obtain information by themselves. We need to push it to them in the form of email notifications with direct links.

How do you know if you are making a difference? It is difficult to measure behavioral change. An increase in incidents being reported can result from an increase in incidents or from an increase in awareness of incidents. Since behavior change doesn't happen quickly, you need a long-term approach.

At Cisco, we measure:

  • How many people attend events?
  • How many click through to an online article?
  • How many people respond to online quizzes? (People enjoy quizzes because they are interactive and fun, and a little competitive. At Cisco, as soon as you answer the quiz, you receive the correct answer and a bit more information, resulting in instant gratification.)
  • Number of members of the Security LEAD program
  • Number of participants in wiki or blog discussions
  • Number of requests for more information.
  • Reduction in risky behaviors or security incidents that were being addressed by your awareness program. For example, stolen laptops or security incidents.

Cisco's Latest Global Security Event

Cisco's second annual global security event focused on the topic of staying safe online. As well as the usual seminars on secure coding and IT-based security, we recruited speakers on topics that people are less informed about, and often more concerned with, such as how to keep our kids safe online and how to avoid identity theft in a world where so many of our connections happen through unsecured social networking sites.

To accommodate our global, distributed workforce, including many employees that work remotely, we ran this as both a virtual event and a live, in-person event. We invited guest speakers, industry experts, and in-house thought leaders. Since we wanted to include our non-U.S.-based workforce, we scheduled the webinars for international audiences, repeating many of them at different times, so that viewers in different regions could attend. All of the sessions were recorded and posted on our internal website for later viewing.

The live part of the event took place during lunchtime in Cisco cafeterias throughout the world. Employees were invited to drop into live sessions with in-house security leaders, discussing questions from the audience. The main live session featured Cisco Chief Security Officer John Stewart. It was held at our San Jose campus and broadcast live worldwide. Reservations and ticketing were handled via a third-party online event management website. We asked our security experts to prepare questions in order to seed the discussions, which became lively conversations.

We also created a website for the security event, which went live at midnight on the day before. It contained links to the keynote broadcast, all the webinars and videos, and other useful material.

Some examples from the event include:

  • A live keynote by an industry expert on cybercrime, simultaneously broadcast live over Cisco TV for global viewing.
  • An engineer-focused webinar about designing products that resist unwanted network access or hacker attacks.
  • Webinars about staying safe online-including how to cross the digital generation gap to be able to imagine the online world our kids operate in every day.
  • An online quiz asking questions about security issues and how to identify and respond to risks, with a "security score" at the end.

Click here to see some of the content from our most recent Global Security Event. (once on the content form Cisco's global security event:

Cisco's Latest Global Security Event


  • Frank Abagnale: It takes a thief to catch a thief (webinar)
    Frank Abagnale knows the business of security from both sides. After a successful early life of crime, he has become a world authority on forgery, embezzlement, and security. He has been associated with the FBI for more than 35 years and lectures extensively at the FBI Academy and at FBI field offices. More than 14,000 financial institutions, corporations, and law enforcement agencies use his fraud prevention programs.

    Frank's previous life as a successful con man was featured in the film 'Catch Me If You Can.'

  • Lori Getz: Stay safe online with your family (webinar)
    The growing Internet-driven generation gap often provokes conflict. Parents are concerned with keeping their children safe, yet unsure as to how to apply parenting skills to an unfamiliar medium. In this session, Lori Getz explains how to bridge the gap between the young generation of Internet users and their parents and teachers. Lori has lectured all over the U.S. and frequently appears on shows such as "TODAY," "Dr. Phil," and CNN's "Prime News." She is the author of "Safety Kid™ on the Net" (an early education Internet safety program) and writes an Internet safety column for

  • Christopher Burgess: Keeping your parents safe online (video)
    Christopher Burgess, Senior Cisco Security Advisor, offers three tips for keeping our parents safe online.

Staying safe online

Good password policy

Passwords are the front line of protection for your accounts. A poorly chosen password may result in the compromise of your company's entire corporate network. Always use a strong password.

Create a corporate password policy that gives people clear details on how to create strong passwords, how to protect those passwords, and how often to change them. Cisco works with The National Cyber Security Alliance, whose Stay Safe Online organization offers the following excellent advice on passwords:

  • Use passwords that have at least eight characters and include numerals and symbols.
  • Avoid common words: Some hackers use programs that can try every word in the dictionary.
  • Don't use your personal information, your login name, or adjacent keys on the keyboard as passwords.
  • Change your passwords regularly (at minimum, every 90 days).
  • Use a different password for each online account you access (or at least a variety of passwords with difficulty based on the value of the information contained in each).

One way to create a strong password is to think of a memorable phrase and use the first letter of each word as your password, converting some letters into numbers that resemble letters. For example, "How much wood could a woodchuck chuck" would become HmWc@wC. Never give anyone your passwords in plain text on the Internet, over email, or on the phone.

Configuring your PC

Configuring your PC

Make sure your PC is configured for maximum security. Updates and patches usually contain updated security features-and they are often updated to respond to new security threats. Your PC should be up to date at all times.

Blocking Malware and Spyware

Never block security features in the software you use, and always install updates and patches without delay when they get pushed to your PC from corporate IT. Many updates and patches address the rapidly evolving security threats posed by spyware and malware--sneaky software that can get downloaded onto your PC without your permission and then do things without you knowing. In the worst cases, such software can track where you go online, log your keystrokes (which means it can find out your passwords), send copies of email and other information to third parties, and send infected emails and attachments to people in your contact lists.

Confidential Information

Take care with confidential information

Keep sensitive information close to home.

Think twice about file sharing

Confidential data should always be shared through one of your company's internal, collaborative tools. Don't share files and documents via non-corporate microblogging tools, email systems, or other public applications.

For example, many employees use online chat applications like Yammer, Yahoo, Google, or Facebook. Often, people upload technical documentation and presentations via these applications-even though they know this presents a security risk-because it's quick and easy and doesn't seem to be doing any harm. But think again! When those documents leave your protected, corporate network and go into the chat application's network, they're no longer protected, and are considered to be compromised.

Don't use thumb drives for confidential data

Don't download your company's confidential information onto a local device (such as an USB drive or a laptop) and then take it out of the office-some information needs to stay within the corporate network. If the device gets lost or stolen, the confidential information will be lost or stolen as well. Instead, work remotely over a secured connection, in an environment where you can't be overlooked.

Identity Theft

Avoiding identity theft

Identity theft is a type of fraud by which someone pretends to be someone else, usually in order to get access to their resources or to obtain credit and other benefits by using that person's name.

In order to pose as someone else, the perpetrator of the fraud needs to get that person's authentication information-which means passwords, Social Security number, bank account numbers, PINs, etc. An article on Wikipedia presents some of the different ways that people obtain this information, including rummaging through trash looking for old bank statements, going through hard drives that have been given away for recycling at an IT center, and phishing.

The risk of full-scale identity theft is small (only 1% of U.S. households were hit by it last year), but smaller scale identity fraud is on the rise. Following our password guidelines will help protect the data held on your PC. Shredding personal documents before you get rid of them will help protect paper-based information.

This Yahoo article from has more suggestions about how to stay safe. For example, don't post your date of birth, place of birth, mother's maiden name, first pet's name, or other personal information in a public access space on social networking websites. They're often used to verify your identity and could allow an imposter to get access to your accounts.

Read the next sections for how to avoid getting caught by phishing and social engineering.


Don't fall for phishing

Phishing is typically carried out by e-mail or instant messaging. The target receives an email or message that seems to come from a bank, e-commerce site (such as eBay or Amazon), or other legitimate institution, asking him or her to provide essential details for official reasons. The message often directs the target to enter details at a fake website whose look and feel are almost identical to the legitimate one. Even when using server authentication, it may require tremendous skill to detect that the website is fake.

If in doubt, do not follow the link in the email. Go directly to the site by typing in its URL, and see if you get an equivalent message. Never give out your PIN, password, Social Security number, or any other unique identifiers via plain text on email or on an unsecured website. (Secure website addresses begin with "https://" rather than "http://" -sometimes the lack of that extra "s" is the only indication that a site is fake!)

Social engineering

Don’t get socially engineered

Social engineering is the act of manipulating someone into giving out confidential information. Sometimes it is done by phone, and increasingly these days it is done over a social network, such as Facebook. Check the privacy settings for your profile to ensure that your posts and information are only accessible by people you trust, and be very careful who you add to your friend networks.

You can learn more about staying safe on social media by listening to this ten minute VOD.

Social engineering example

A security company called Netragrad recently ran a social engineering experiment to see how easily they could exploit peoples' trust in a classic social engineering attack. They made up a fake profile on Facebook and invited people to "friend" them, based on the "fact" that they were employees of the same company. They then posted a link that their new "friends" clicked.

Once people clicked and verified their credentials, the Netragrad team had their private data, which they used to gain access to the company's VPN and internal systems. The experiment took less than one week. In case you think you'd never fall for this, consider that Netragrad says 90% of the people they targeted trusted them because they thought they worked for the same company!

Netragrad's blog is called "Facebook from the Hacker's Perspective." Here's an extract:

"Because most of the targeted employees were male between the ages of 20 and 40 we decided that it would be best to become a very attractive 28 year old female. We found a fitting photograph by searching Google images and used that photograph for our fake Facebook profile. We also populated the profile with information about our experiences at work by using combined stories that we collected from real employee Facebook profiles.

Upon completion, we joined our customer's Facebook group. Joining wasn't an issue and our request was approved in a matter of hours. Within twenty minutes of being accepted as group members, legitimate customer employees began requesting our friendship. In addition to inbound requests we made hundreds of outbound requests. Our friends list grew very quickly and included managers, executives, secretaries, interns, and even contractors.

After having collected a few hundred friends, we began chatting. Our conversations were based on work-related issues that we were able to collect from legitimate employee profiles. After a period of three days of conversing and sharing links, we posted our specially crafted link to our Facebook profile. The title of the link was "Omigawd have you seen this I think we got hacked!" Sure enough, people started clicking on the link and verifying their credentials.

We used those credentials to access the web VPN which in turn gave us access to the network. As it turns out, those credentials also allowed us to access the majority of systems on the network including the Active Directory server, the mainframe, pump control systems, the checkpoint firewall console, etc. It was game over, the Facebook hack worked yet again."

Security Programs - Tailgating

Viewing this video requires Adobe Flash Player 8 with JavaScript enabled.

Get the Flash Player

Security Programs - Public Awareness

Viewing this video requires Adobe Flash Player 8 with JavaScript enabled.

Get the Flash Player

Security Programs - Data Classification

Viewing this video requires Adobe Flash Player 8 with JavaScript enabled.

Get the Flash Player

Security Programs - Executive communications on Security

Viewing this video requires Adobe Flash Player 8 with JavaScript enabled.

Get the Flash Player